Email remediation is a powerful tool that can be used by security operations teams to act on suspicious emails. SecOps can trigger email purge actions, submit to Microsoft for analysis and investigative actions from Threat Explorer.
Introducing new capabilities to the Email Entity Page
Since it’s release in 2020, we’ve seen tremendous use and heard great feedback about the Email entity page, which provides a 360-degree view of an email in one location. We understand that customers spend a major amount of time analyzing suspicious emails through the Email entity page, and so we’re announcing new actions that can be taken from this popular view. With these changes, you'll no longer have to move to a different page to take response actions. Security teams can now take email actions like soft delete, move to junk, move to deleted folder, trigger an investigation, submit to Microsoft for review in line. With this change we’re also bringing Tenant level block actions like block file, block URL, and block sender or domain into the Email entity page, so you can act on create tenant level block rules.
Take actions with the Action wizard
You will be able to click on Take actions from the top right corner of the entity page and this will open the Action wizard for you to select the specific action. Please refer to the permissions required to take these actions.
Figure 1: The Email Entity page now contains the Take actions option in the top right of the page.
In the Action wizard you can take email actions, email submissions, block sender / sender domain, investigative actions and two step approval (add to remediation) in the same side pane. This follows a consistent flow for ease of use. The Action wizard uses the same system as is used by Threat Explorer actions (for Delete/Submissions/Investigation actions), for example. You will be able to see and track these actions in the Unified action center (for deleted emails), in the Submission portal (for submissions), and in Tenant Allow/Block Lists page for (TABL blocks). This will be an experience update and will not impact any functionality or backend processes.
Figure 2: The new Action Wizard from the Email Entity page
Tenant blocks
We are also bringing Tenant block URL and Tenant block attachment to the respective Email entity URL and Attachments tabs. Upon approval, all the Tenant Allow/Block List (TABL) block URLs and block attachments can be tracked under the TABL URL and TABL file pages.
Figure 3: New Tenant Allow/Block List (TABL) integration
Figure 4: Taking a block URL action from the Email Entity page
We think you are going to love these new capabilities in the email entity view, and we look forward to your feedback! Please refer to our documentation for more information on the email entity page and related actions.
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.
Microsoft